Igen beláttam. Keresem az alábbi URL-t, de nem találom. Valaminek szerettem volna utánanézni. Talán tudnál segíteni:
http://www.grsecurity.net/news.php#digitalfud
Csak nem le lett törölve? A korábbi állásfoglalással együtt? Mi az oka? :-O
Pontosabban ezt hiányolom:
Official message regarding claimed grsecurity/PaX vulnerabilities
While we do not want to bring any more attention to the obviously attention-seeking "company" claiming two vulnerabilities (one local, and one remote) in nonspecific versions of the Linux kernel in combination with nonspecific versions of grsecurity/PaX, I believe it's prudent to reply to the FUD in a direct way so that our users can be better informed.The company in question is the same company that claimed a Linux 2.6.x remote root which never came to fruition (see http://www.zone-h.org/content/view/14395/31/).
The company clearly is trying to drum up attention for itself and fool some people with deep pockets into throwing away $80,000 to them and hope that in 6 months time people will forget all about it just like the remote Linux 2.6.x vulnerability.
As the PaX team has mentioned on the forums (see http://forums.grsecurity.net/viewtopic.php?t=1643), the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities.
The company is very likely not of US origin, given their cheap hosting provider, nonexistent business address, nonexistent LLC in New York, and horrible spelling. They've also attempted to drum up interest in their company by posing as potential customers on mailing lists (see: http://www.securityfocus.com/archive/82/415359).
For these public reasons, it can safely be said that these vulnerability claims are pure attention-seeking FUD for a shady company.
Itt még megvan.
--
trey @ gépház